Security
Learn about Thox.ai's security features and how to protect your device.
Your Data Stays Private
Thox.ai processes everything locally on your device. Your code, queries, and AI responses never leave your network. No cloud processing, no data collection, no telemetry by default.
Data privacy and local processing
Your code never leaves your network.
Local-first architecture
All AI processing happens on your Thox.ai device. Your code, queries, and completions never leave your local network. No data is sent to cloud servers.
No telemetry by default
Thox.ai does not collect telemetry, usage data, or analytics. Optional anonymous crash reports can be enabled to help improve the product.
Data retention
Conversation history and code context are stored temporarily in memory only. Nothing is persisted to disk unless explicitly saved. Clear all data with "thox data clear".
Audit logging
Enable audit logs in /admin/security to track all API requests. Logs include timestamps, endpoints, and client IPs but not request/response content by default.
Network security configuration
Secure your device on the network.
HTTPS configuration
Enable HTTPS in /admin/security > TLS. Upload your own certificate or generate a self-signed one. Production deployments should use valid certificates.
Firewall settings
The device firewall is enabled by default. Only ports 8080 (HTTP/HTTPS) and 22 (SSH, if enabled) are open. Additional ports can be configured as needed.
Network isolation
For maximum security, place the device on an isolated VLAN accessible only from development machines. Block internet access if not needed for model downloads.
VPN access
Configure WireGuard VPN in /admin/network > VPN to access your device remotely. This provides encrypted access without exposing the device to the internet.
Authentication and access control
Manage who can access your device.
Admin credentials
Change default admin password immediately after first login. Use a strong, unique password. Consider using a password manager.
API keys
Generate API keys in /admin/api-keys. Each key can have specific scopes (read, write, admin) and rate limits. Revoke compromised keys immediately.
Multi-user access
Create additional users in /admin/users. Assign roles: viewer (read-only), developer (API access), or admin (full access). Each user gets unique credentials.
SSO integration
Enterprise licenses support SAML 2.0 and OIDC for single sign-on. Configure in /admin/security > SSO. Contact sales for enterprise licensing.
Two-factor authentication
Enable 2FA for admin accounts in /admin/security > 2FA. Supports TOTP apps like Google Authenticator or Authy.
Encryption and data protection
How your data is protected.
Data at rest
Downloaded models are stored unencrypted for performance. Enable disk encryption in /admin/security for sensitive deployments. This adds some performance overhead.
Data in transit
All API communications use TLS 1.3 when HTTPS is enabled. Connections without TLS are clearly marked as insecure in the web interface.
Secure boot
The device uses secure boot to verify firmware integrity. Unsigned or modified firmware will not load, protecting against supply chain attacks.
Key management
API keys are stored hashed. Admin passwords use bcrypt. The device includes a hardware security module (HSM) for certificate and key storage.
Security updates and patches
Keep your device secure and up-to-date.
Automatic updates
Enable automatic security updates in /admin/updates. Critical patches are applied within 24 hours of release. Feature updates require manual approval.
Manual updates
Check for updates: "thox update check". Install updates: "thox update install". Review release notes before updating production devices.
Rollback
If an update causes issues, rollback to the previous version: "thox update rollback". The previous two versions are kept for rollback.
Security advisories
Subscribe to security notifications at thox.ai/security. We disclose vulnerabilities following a 90-day responsible disclosure policy.
Compliance and certifications
Regulatory compliance information.
GDPR compliance
Thox.ai is GDPR-compliant by design. No personal data is collected or processed externally. You maintain full control of your data.
SOC 2 Type II
Our development and support processes are SOC 2 Type II certified. Certification reports available to enterprise customers under NDA.
HIPAA
The device can be deployed in HIPAA-covered environments when properly configured. BAA available for enterprise customers.
Export compliance
Thox.ai devices comply with US export regulations. Some encryption features may be restricted in certain countries. Contact sales for specific requirements.